Runescape is a large online game with a pure-Java client which runs in the browser as a signed applet. It is pretty unique in that regard, with the other major example I know being Yohoho Puzzle Pirates. Due in part to the forces in the game economy, there is a large population of automated players running various bot software to grind for in-game resources.

These bots are some of the most complex Java applications I have seen, especially with regard to modifying the JVM state at runtime. I'm curious how these work, not necessarily specific to a particular game but more generally. (You can Google for examples pretty easily. I'm not going to direct link any because some of them are allegedly associated with malware.)

From what I can figure out, this is the approximate flow of what the bot does:

1. Launches and attaches to the game applet. I'm not sure if this is a result of launching the applet in the bot's current JVM or a result of attaching to the game's JVM after it launches.
2. Reads the game state. This at least means getting a reference to the current Applet and reading off of its Graphics. I'm not sure what else is involved here. I know some bots get references to some of the game's own objects and call their getters to read internal state programmatically.
3. Fakes input. As far as the game can tell, it's receiving regular mouse and keyboard events. However, these are faked at the AWT level, since these bots can run fine when not in the foreground, and they do not use the system cursor.

How are each of these steps performed? What would I do if I wanted to write a similar bot for a similar game? Specifically:

1. Should the bot launch the game, or attach to the game after it launches? Which of these approaches is feasible/reasonable? How are they done? In each case, how feasible/reasonable is it to get references to the game's Applet? What about JFrames or other AWT/Swing components it contains?
2. Given a reference to the game's various AWT/Swing components, how does the bot go about reading them? When/where is it safe to do this?
3. How does the bot call into the game code to call getters for client state? Note that the game code is obfuscated, and the names likely change with every build even if the overall topology of the code is almost the same. How does the author find these methods of interest to begin with?
4. How does the bot send fake AWT input events? How does it do so in a reasonable and consistent manner?

I'm not necessarily looking to write such a bot, although this is one of the more interesting pieces of software I've seen lately, so I'm definitely looking to learn more about it. Interestingly enough, I think a lot of the stuff here could be applied to non-adversarial situations such as automated UI testing.